Analysis
-
max time kernel
147s -
max time network
139s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
16-11-2021 12:14
Static task
static1
Behavioral task
behavioral1
Sample
new order.exe
Resource
win7-en-20211014
General
-
Target
new order.exe
-
Size
506KB
-
MD5
42d37691292ac45ed40d57c76b335cd5
-
SHA1
9b7e5e7d353cab9c42edb33a060f9d91200192f9
-
SHA256
ea03c34322299aafb7f2c7b442ff7f4a661ea952bddb76b83a1c274460eb45a5
-
SHA512
8a3f2b7b8b3f6235637a4c8839998fe3cdb27376c086f1ea9a8d4146b020d7426efeb38e68d415686b63f5ff7a27b8ec6a17fc22ef37e79b21271225114b7c27
Malware Config
Extracted
formbook
4.1
jy0b
http://www.filecrev.com/jy0b/
lamejorimagen.com
mykabukibrush.com
modgon.com
barefoottherapeutics.com
shimpeg.net
trade-sniper.com
chiangkhancityhotel.com
joblessmoni.club
stespritsubways.com
chico-group.com
nni8.xyz
searchtypically.online
jobsyork.com
bestsales-crypto.com
iqmarketing.info
bullcityphotobooths.com
fwssc.icu
1oc87s.icu
usdiesel.xyz
secrets2optimumnutrition.com
charlotte-s-creations.com
homenetmidrand.com
sytypij.xyz
tapehitsscriptsparty.com
adelenashville.com
greendylife.com
agbqs.com
lilcrox.xyz
thepersonalevolutionmaven.com
graciasmiangel.com
heidisgifts.com
flchimneyspecialists.com
yorkrehabclinic.com
cent-pour-centsons.com
marcoislandsupsurf.net
expressdiagnostics.info
surferjackproductions.com
duscopy.store
uekra.tech
campaigncupgunplant.xyz
cheetahadvance.com
blickosinski.icu
laketacostahoe.com
drippysupplyco.com
isomassagegun.com
clarition.com
andrew-pillar.com
truthbudgeting.com
cloudfixr.com
cfasministries.com
compliant-now-beta.com
kssc17.icu
plewabuilders.com
uslugi-email.site
167hours.com
sodo6697.com
voyagesify.com
ranodalei.com
culturao.com
littlepotato-id.com
integtiryhvacsanmateo.com
neatmounts.com
reddictnflstream.com
digistore-maya.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/880-57-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/880-58-0x000000000041F150-mapping.dmp formbook behavioral1/memory/1248-66-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1160 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
new order.exepid process 1772 new order.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
new order.exenew order.exeraserver.exedescription pid process target process PID 1772 set thread context of 880 1772 new order.exe new order.exe PID 880 set thread context of 1400 880 new order.exe Explorer.EXE PID 1248 set thread context of 1400 1248 raserver.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
new order.exeraserver.exepid process 880 new order.exe 880 new order.exe 1248 raserver.exe 1248 raserver.exe 1248 raserver.exe 1248 raserver.exe 1248 raserver.exe 1248 raserver.exe 1248 raserver.exe 1248 raserver.exe 1248 raserver.exe 1248 raserver.exe 1248 raserver.exe 1248 raserver.exe 1248 raserver.exe 1248 raserver.exe 1248 raserver.exe 1248 raserver.exe 1248 raserver.exe 1248 raserver.exe 1248 raserver.exe 1248 raserver.exe 1248 raserver.exe 1248 raserver.exe 1248 raserver.exe 1248 raserver.exe 1248 raserver.exe 1248 raserver.exe 1248 raserver.exe 1248 raserver.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1400 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
new order.exeraserver.exepid process 880 new order.exe 880 new order.exe 880 new order.exe 1248 raserver.exe 1248 raserver.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
new order.exeraserver.exedescription pid process Token: SeDebugPrivilege 880 new order.exe Token: SeDebugPrivilege 1248 raserver.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1400 Explorer.EXE 1400 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1400 Explorer.EXE 1400 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
new order.exeExplorer.EXEraserver.exedescription pid process target process PID 1772 wrote to memory of 880 1772 new order.exe new order.exe PID 1772 wrote to memory of 880 1772 new order.exe new order.exe PID 1772 wrote to memory of 880 1772 new order.exe new order.exe PID 1772 wrote to memory of 880 1772 new order.exe new order.exe PID 1772 wrote to memory of 880 1772 new order.exe new order.exe PID 1772 wrote to memory of 880 1772 new order.exe new order.exe PID 1772 wrote to memory of 880 1772 new order.exe new order.exe PID 1400 wrote to memory of 1248 1400 Explorer.EXE raserver.exe PID 1400 wrote to memory of 1248 1400 Explorer.EXE raserver.exe PID 1400 wrote to memory of 1248 1400 Explorer.EXE raserver.exe PID 1400 wrote to memory of 1248 1400 Explorer.EXE raserver.exe PID 1248 wrote to memory of 1160 1248 raserver.exe cmd.exe PID 1248 wrote to memory of 1160 1248 raserver.exe cmd.exe PID 1248 wrote to memory of 1160 1248 raserver.exe cmd.exe PID 1248 wrote to memory of 1160 1248 raserver.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\new order.exe"C:\Users\Admin\AppData\Local\Temp\new order.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\new order.exe"C:\Users\Admin\AppData\Local\Temp\new order.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\new order.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsyC997.tmp\jagzgkp.dllMD5
1d837eefac21fec00909dbfb5b56a513
SHA140ff5b73d8d69305cb6c1dc4b57f1cd0c7e7b429
SHA25602311063d33ba8efdde6229dfa0759e6d4ae6daa41bc560ccc5e61a032fe42bf
SHA5127d0997201bfb60fc6a2b61fb16cfe25d784ec723aa84f4b3c339d40fe887f2668a08525bf81acd992f47b67c2416ecf5331b7a63cfa503b39bae805aab39643b
-
memory/880-57-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/880-58-0x000000000041F150-mapping.dmp
-
memory/880-61-0x00000000002C0000-0x00000000002D4000-memory.dmpFilesize
80KB
-
memory/880-60-0x0000000000920000-0x0000000000C23000-memory.dmpFilesize
3.0MB
-
memory/1160-67-0x0000000000000000-mapping.dmp
-
memory/1248-66-0x0000000000080000-0x00000000000AF000-memory.dmpFilesize
188KB
-
memory/1248-63-0x0000000000000000-mapping.dmp
-
memory/1248-65-0x00000000001F0000-0x000000000020C000-memory.dmpFilesize
112KB
-
memory/1248-68-0x0000000001EE0000-0x00000000021E3000-memory.dmpFilesize
3.0MB
-
memory/1248-69-0x0000000000480000-0x0000000000513000-memory.dmpFilesize
588KB
-
memory/1400-62-0x0000000006170000-0x0000000006247000-memory.dmpFilesize
860KB
-
memory/1400-70-0x0000000006CF0000-0x0000000006E0A000-memory.dmpFilesize
1.1MB
-
memory/1772-55-0x0000000075321000-0x0000000075323000-memory.dmpFilesize
8KB